fix(deps): update urllib3 (high)

[claude]

Summary

• Add urllib3>=2.6.3; python_version >= '3.9' as a uv constraint-dependency to ensure the patched version is always resolved for Python 3.9+
• Regenerate uv.lock with the constraint recorded

Advisories Resolved (Python >= 3.9)

GHSA ID	CVE	Severity	Summary	Patched Version
GHSA-2xpw-w6gg-jr37	CVE-2025-66471	HIGH	urllib3 streaming API improperly handles highly compressed data	2.6.0
GHSA-38jv-5279-wg99	CVE-2026-21441	HIGH	Decompression-bomb safeguards bypassed when following HTTP redirects	2.6.3
GHSA-48p4-8xcf-vxj5	CVE-2025-50182	MEDIUM	urllib3 does not control redirects in browsers and Node.js	2.5.0
GHSA-gm62-xv2j-4w53	CVE-2025-66418	HIGH	urllib3 allows an unbounded number of links in the decompression chain	2.6.0
GHSA-pq67-6m6q-mj2v	CVE-2025-50181	MEDIUM	urllib3 redirects are not disabled when retries are disabled	2.5.0

Lockfiles Modified

• uv.lock

Alerts NOT Fully Resolved

All 5 alerts remain unresolved for the Python < 3.9 (3.8) resolution in uv.lock. The lockfile still contains urllib3==2.2.3 for python_full_version < '3.9' because:

• urllib3 is a transitive dependency (sphinx → requests → urllib3), only used as a dev dependency
• urllib3 dropped Python 3.8 support in version 2.3.0; the latest version available for Python 3.8 is 2.2.3
• All 5 advisories require urllib3 >= 2.5.0 or higher, which is not available for Python 3.8
• Python 3.8 reached end-of-life in October 2024

To fully resolve these alerts, the project would need to drop Python 3.8 support by raising requires-python to >=3.9. This is noted here as a follow-up consideration.

Test plan

• uv lock resolves successfully
• uv run make format passes
• uv run make lint passes
• CI test matrix passes (Python 3.8, 3.9, 3.10, 3.11, 3.12)

Resolves #1133

🤖 Generated with Claude Code

[claude]

Code Review

This PR is a focused, minimal security fix. No src/viam/gen/ files were modified.

Correctness ✓

The constraint-dependencies mechanism is the right approach here. urllib3 is a transitive dev-only dependency (sphinx → requests → urllib3), not a production dependency. constraint-dependencies in [tool.uv] constrains resolution without adding urllib3 as a direct dependency or embedding anything in the published wheel — that's exactly what we want.

The lock file resolves correctly:

• urllib3==2.2.3 for python_full_version < '3.9' (the maximum version supporting Python 3.8, which dropped support in urllib3 2.3.0)
• urllib3==2.6.3 for python_full_version >= '3.9' (patched against all 5 CVEs)

The Python 3.8 residual exposure is accurately documented in the PR body and is unavoidable without dropping 3.8 support entirely.

Minor nit: TOML section ordering (pyproject.toml, lines 98–101)

[tool.uv] was inserted between [tool.ruff] (lines 74–96) and [tool.ruff.lint.per-file-ignores] (line 103), which splits ruff's configuration across non-contiguous sections. This is valid TOML but adds visual noise. A cleaner placement would be after [tool.ruff.lint.per-file-ignores] at the end of the file. Not a blocker — just worth cleaning up in a follow-up or rebase.

Security ✓

No secrets or credentials added. The constraint pins the minimum version of a transitive dev dependency; it does not affect end-users of the published package.

Overall

The change is correct, minimal, and achieves its stated goal for Python ≥ 3.9. The Python 3.8 limitation is beyond what can be fixed without dropping that runtime version. Ready for human review and approval.

[ale7714]

@claude-fix Fix Minor nit: TOML section ordering (pyproject.toml, lines 98–101)
[tool.uv] was inserted between [tool.ruff] (lines 74–96) and [tool.ruff.lint.per-file-ignores] (line 103), which splits ruff's configuration across non-contiguous sections. This is valid TOML but adds visual noise. A cleaner placement would be after [tool.ruff.lint.per-file-ignores] at the end of the file. Not a blocker — just worth cleaning up in a follow-up or rebase.

[claude]

Claude finished @ale7714's task in 45s —— View job

---

Fixed TOML section ordering

• Read CLAUDE.md and understand conventions
• Read pyproject.toml to understand current state
• Move [tool.uv] section after [tool.ruff.lint.per-file-ignores]
• Run uv run make format and uv run make lint — all checks passed
• Commit and push changes

Moved [tool.uv] from between [tool.ruff] and [tool.ruff.lint.per-file-ignores] to after [tool.ruff.lint.per-file-ignores] at the end of the file, keeping ruff's configuration sections contiguous.

[claude]

Review Summary

This is a narrow, correct dependency-constraint bump. No source files or gen/ files were touched.

Approach is sound. Using [tool.uv].constraint-dependencies (not [project.dependencies]) is the right mechanism for pinning a transitive dependency without polluting the published package's requirements. The constraint only affects uv's resolver and the lockfile.

Lockfile is consistent. uv.lock shows:

• urllib3 2.6.3 for python_full_version >= '3.9' — satisfies all 5 advisories
• urllib3 2.2.3 for python_full_version < '3.9' — correctly acknowledged as unresolvable since urllib3 dropped 3.8 support in 2.3.0

Hashes look authentic. The sdist and wheel URLs point to real pypi.org releases with proper SHA-256 hashes matching known urllib3 2.6.3 artifacts (upload-time 2026-01-07).

No issues to fix. The change is minimal, the PR description accurately documents the residual Python 3.8 gap and the follow-up path (dropping requires-python floor to >=3.9).